The present invention generally relates to security, and particularly, to a method and system for verifying the authenticity of identity claims of entities engaged in an online transaction over a network.
In the current business trend, enterprises typically use Internet to provide online transaction facilities either to their customers or vendors or partners to stay competitive in the emerging market. These online transaction facilities may include an online banking service or an online trading service or any other related services. Generally, the online transaction may include one or more entities interacting or communicating with each other, which are unknown to each other. The communicating entities may exchange sensitive data during the online transaction. Thus, reliance on Internet to carry out sensitive and critical transactions is ever increasing and there is a greater need for building a trust relationship between the communicating entities during online transaction.
Typically, to build trust relationship between communicating entities (henceforth the interacting entities are also be referred as a client and/or a server), the server should verify the authenticity of the client and the client should, in turn, verify the authenticity of the server. After this verification process, the client may initiate the online transaction. However, this is not followed in practice. The server is generally capable of verifying the authenticity of the clients, by means of validating the client credentials. The credentials may include any of a clientname, a password, a digital certificate, and so forth. However, the client is generally not capable of verifying the authenticity of the server.
Technical solutions like digital certificates may provide a way to uniquely identify the interacting entities. The server may well have its own digital certificate. However, the failure on the part of the client to verify the authenticity of the server is not because of lack of technical solutions that are used to uniquely identify the server but because the client may be not capable of verifying the authenticity of the server by virtue of not being knowledgeable enough about the technical solutions. This broadens the gap between the server and the client while trying to build the trust relationship during the online transaction and makes the whole setup vulnerable to attacks.
Hackers have exploited this fundamental flaw in establishment of trust relationship and have created exploits that are commonly known as phishing attacks. Phishing attacks are generally aimed at stealing sensitive information of the client, which includes at least one of client credentials, social security number or credit card details, using social engineering techniques by masquerading as a trustworthy business entity, via electronic channels like the Internet. It relies on the ignorance on the part of the client while interacting with the server.
There exist measures to address such security attacks. Few of them include: a) using filters in an Internet browser and Domain Name Servers (DNS) to prevent the client from connecting to known malicious servers (web applications etc), b) Internet browsers prompting the client to verify the identify claims made by the server applications, thus allowing the client to accept or reject the identity claim based on the client knowledge, c) usage of fingerprint impression of the client at the time of registration with the servers to verify the authenticity of the server (web application) by means of a finger print (usually an image) which was set by the client at the time of registration, and d) disabling scripts in e-mail clients to prevent accidental access by the client to malicious web sites embedded within.
However, all of the above techniques mentioned above are associated with a few fundamental problems. The filters used in the Internet browser and the DNS may filter out only known malicious servers. If a new malicious site is created, the existing filters may not be able to block the server. The Internet browsers prompting the client to verify the identify claims solely depend on the judgment of the client. Since most of the clients are not aware of the technical complexities involved in identity claims, relying on the knowledge of the client is prone to failure. Using finger prints also fails against a man-in-the-middle (MITM) attack. The method of disabling scripts in an e-mail client may reduce the client visits to malicious sites but doesn't help the client in verifying the authenticity of the identity claims.
The aforementioned solutions are aimed at providing symptomatic cures by trying to prevent the client from connecting to a malicious entity. But in spite of these, if the client connects to a malicious system, such solutions may not offer further assistance.
Thus, there is a need for a reliable method and system for building trust relationship between the communicating entities by verifying the authenticity of identity claims of the communicating entities in an online transaction over a network. A client should be able to identify whether the server (web site and etc.) with which they are interacting through a client application during an online transaction is indeed the right server.